Zomato hacker agrees to destroy all stolen data

Zomato attributed the breach to human error, where an employee’s development account got compromised and hackers got to lay their hands on the dataAnu Thomas | ET Online | May 19, 2017, 15:15 IST

Zomato has suffered a security breach with over 17 million user records stolen from the food-tech company's database. The stolen information has email addresses and hashed passwords of customers.

According to Hackeread.com, a user by the name of "nclay" claimed to have hacked Zomato and was willing to sell data pertaining to 17 million registered users on a popular Dark Web marketplace.

This included emails and password hashes of registered Zomato users with the price set for the whole package at $1,001.43 (BTC 0.5587) - BTC here stands for Bitcoins. Hackeread adds the vendor also published data and evidence to prove it was genuine.

Hashing turns an original password into an incoherent set of characters, bringing down the possibility of it being easily converted back to plain text. Furthermore, passwords of Zomato's 120 million users are reportedly salted as well, whereby characters are added at random before the password hashed, rendering it unintelligible even if the hash is translated.

Although in theory the password may still be safe, Zomato is encouraging its users to change that password if used for any other services.

Amid the news of the leak, no payment information or credit card data has been stolen, the company said in a note released to the press. 'In our security investigation, we have found no evidence of unauthorized access to financial information,' it states. 'Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault,' it further added.

Despite assurances that increased levels of precautions were made to safeguard users' data, the company, as a preventive measure, has reset the passwords for all affected users and logged them out of its app and website. 'Since we have reset the passwords, affected users' Zomato account as well as credit card information is secure, so there is nothing to worry about there.'

In the blogpost, Zomato has attributed human error as the cause of the security breach where an employee’s development account got compromised. 'Our team is actively scanning all possible breach vectors and closing any gaps in our environment,' the blog stated.

Over the next couple of weeks, the company will reportedly work towards plugging further security gaps - if any - in its systems. This will include adding a layer of authorisation for internal teams having access to such data to avoid the possibility of any human breach.

Here is the full text of Zomato's statement:

Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that’s something we do diligently, without fail. We take cyber security very seriously - if you’ve been a regular at Zomato for years, you’d agree.

The reason you’re reading this blog post is because of a recent discovery by our security team - about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.

We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.

Important note - payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.

As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach - some employee’s development account got compromised.

How can this stolen information be misused?

Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.

What next?

Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.

We’ll be further enhancing security measures for all user information stored within our databaseA layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.We regret any disruption this may cause and appreciate your immediate attention to this information. If you have queries/concerns, please do not hesitate to contact our security team by sending an email directly to support@zomato.com and we’ll reach out to you right away.